NU Online News Service, July 6, 5:23 p.m. – The U.S. Department of Health and Human Services has posted its first “guidance” on the new federal health information privacy regulation on its Web site, at http://www.hhs.gov/ocr/hipaa
HHS adopted the regulation in December 2000 to implement the health privacy provisions of the Health Insurance Portability and Accountability Act of 1996.
Health insurers, large health plans, doctors and hospitals are supposed to comply with the regulation by April 14, 2003. Small health plans must comply by April 14, 2004, according to HHS.
One section of the guidance deals with health-related marketing and communications. The section notes, for example, that whether the federal health privacy regulation affects a disease management program “depends on the specifics of how the activity is conducted.”
Another section, on “business associates,” says entities covered by the health privacy regulation must take action when they learn that associated businesses are violating the health privacy rules. But covered entities do not have an obligation to actively monitor or oversee business associates’ privacy protection programs, HHS says.